Weeks after it started attacking and encrypting victims' files, Locky is still targeting many users. In order to provide more information about this threat, we have put together some information to help protect you in a better way.

Short summary

Win32/Filecoder.Locky.A is a ransomware variant that encrypts files with over 100 file types such as images, videos, databases, etc. on fixed, removable, and network drives. When executed, the ransomware copies itself into the following location: %temp%\­svchost.exe and adds a registry entry in order to be executed on every system start.

The attack vector is a regular email message with an attachment (previous variants were using Word or Excel attachments containing malicious macros). This attachment comes with a Trojan Downloader, usually from the Family detected by ESET as JS/TrojanDownloader.Nemucod, among other variants. Once opened, this file contains a JavaScript (.js) file and when it’s executed it downloads and executes the payload, Locky in this case.

Once opened, Nemucod executes a JavaScript (.js) file, which then downloads and executes its payload. In this case, Win32/Filecoder.Locky.A is launched and it searchers for for files in local and network drivers. It the encrypts them and then renames the file by changing its extension to ‘.locky’. After doing that, the Locky ransomware changes the system wallpaper so that the desktop background now contains the following text:


After this step, the user is requested to pay a ransom and the trojan removes itself from the computer. In addition, the malware collects information about the OS and system settings, as well as the list of the encrypted files; it then attempts to send these data to a remote machine, using the HTTP protocol.

As currently seen in ransomware variants, all the payment instructions are stored in a TOR link and the payment has to be made using bitcoins.

Current Campaigns

Since the end of February we have observed several propagation campaigns of ransomware – for example Locky and TeslaCrypt – being spread using the JS/TrojanDownloader.Nemucod malware. Those campaigns have achieved very high detection rates in ESET telemetry systems, such as LiveGrid®, with countries like Japan reaching almost 80%.

Those detection rates are calculated thanks to the users who are sending data automatically using the LiveGrid® System; it shows what percentage of the total amount of detected malware in our servers belongs to one variant.

If we take a look to the last week’s information, we can observe three big propagation campaigns since the end of February, the last one still being active at the time of writing (March 17th):


Which countries were more affected by these Trojan Downloaders propagation campaigns during last month? Japan leads the list, followed by other European countries such as Italy, UK and Ireland. We have to take in consideration that these detection rates changes every day and some countries like Germany and Spain also have very high detection rates:


Other regions such as North America, Australia, New Zealand and South Africa have also been affected and, since the email used to spread the ransomware is usually written in English, it makes sense that most of the mentioned areas are the ones where we find most of the detections.

It’s also interesting that the criminals are targeting most of the wealthiest countries, maybe expecting that the infected users will be more likely to pay in those countries.

How to protect yourself?

While protection methods that have been mentioned before in other ransomware campaigns applies perfectly to Locky, it’s not bad to review them and add some new ones:

  • Backup are essential. Face it, the last thing you would want is a nasty ransomware encrypting all your personal files and having to pay to recover them. It’s always a good idea to have a backup copy of your files stored in another external hard drive or even in a cloud storage system.

Just make sure that you only connect to this backup system when you are doing the copy of the files. If you don’t, you might find your backup files also encrypted, since most ransomware looks for external drives and even shared folders and cloud storage services mapped to your file system.

  • Make sure that your antivirus is up to date, and if it has an early warning system, make sure that it is activated. That’s the difference between having to wait hours for a virus signature that detects a new threat or just minutes.
  • Update your system and all the installed software. Exploits that take advantage of security holes in the system and applications are commonly used by malware creators. Don’t let the cybercriminals infect your system just because you forgot to install the most recent updates.
  • Secure your system. Besides keeping it updated, there are other methods that can help you to keep your system safe. Windows UAC is always a good start since you can configure it to require additional permission to execute an unknown file.
  • If you are in a business environment and you have Windows Active Directory, you can set group polices in a way that prevents ransomware from executing and starting to encrypt your files or to spread through your network. You can even prevent Office macros from being executed, so you will not have to worry about some employee opening a malicious Office document, as you can see in the recently released Office 2016 update.